Cross Domain Limitations With Ajax - JSON

Question

When requesting (ht|x)ml with ajax you can only send requests to the same domain. But if you request JSON you can send it to any domain. Why?

I\'m told it\'s for sec

Answer 1

Here is an example of why someone would hack an AJAX request.

https://blog.codinghorror.com/preventing-csrf-and-xsrf-attacks/

http://directwebremoting.org/blog/joe/2007/04/04/how_to_protect_a_json_or_javascript_service.html